Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 41 subscribers
  • Views 3354 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG too many Notification IPS and Malware over Mail

Simplified Sam

Hello,

i am reciving many Notifications like

Message:
BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt

Mostly i look up it has something to do with some kind of advertisement api from google or other cloud services. (There are other messages types too)

Now with 60 Users my mailbox gets very much full in no time, about 300 notifications sometimes in one minute.

First of all, these notifactions are not helping much, if i get them, its probaly blocked then right? And if i want check it, i would atleast need a IP-Adress or computername who is causing the trouble, after that i would look up what they were doing. So basically i could spare some work time if this information was already on the e-mail.

And option to group the mails would be nice than too, like if 200 mails of same source/alerttype only one will be send the next 5 secounds?

Adding notification excpetion would be also nice, like dont send or group after minute for specific alert message. (Example the above one is for internet explorer, nobody use that here anymore, but the ips scanns for all browser types sadly)



This thread was automatically locked due to age.
Parents
  • 0

    I found it personally very dangeruous to not find the root cause of such alerts. Threat Hunting should be done after each and every alert. If there is a false positive, you should follow up to get those resolved. 

    That is the reason, Managed Detection is currently very popular, as most customers still work like this suggestion: Simply ignore the additional alerts. 

    Actually, you should investigate the alerts by using your EDR/XDR Tools, as this is just a starting point, going forward. Email Alerting could be already to late. Looking into the database/lakes of your choice and logically link them to the detection, you see on your servers/clients should be the next steps.

    See MITRE attack. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    yes, we do root cause analysis. 50 mails per second for the same detection frome one computer are still bad coded by Sophos..

    the root cause for many IPS alerts: people watching amazon prime videos (permitted usage) with Mozilla Firefox - creating this IPS Alert for Flash Player that does not exist in firefox or the system. FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt

    Or users tracking parcels on Hermes website with Firefox or Chrome, causing Internet Explorer alerts:

    BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt

    That combination does not make sense though.

    We also insert a lot of coins into Sophos MDR service.

Reply
  • 0 in reply to LuCar Toni

    yes, we do root cause analysis. 50 mails per second for the same detection frome one computer are still bad coded by Sophos..

    the root cause for many IPS alerts: people watching amazon prime videos (permitted usage) with Mozilla Firefox - creating this IPS Alert for Flash Player that does not exist in firefox or the system. FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt

    Or users tracking parcels on Hermes website with Firefox or Chrome, causing Internet Explorer alerts:

    BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt

    That combination does not make sense though.

    We also insert a lot of coins into Sophos MDR service.

Children
No Data
Unfiltered HTML